Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Tatuya Kamada
gitlab-ce
Commits
a3191463
Commit
a3191463
authored
Jan 02, 2016
by
Grzegorz Bizon
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add path sanitization to `StringPath`
[ci skip]
parent
3de8a462
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
27 additions
and
12 deletions
+27
-12
lib/gitlab/string_path.rb
lib/gitlab/string_path.rb
+27
-12
No files found.
lib/gitlab/string_path.rb
View file @
a3191463
...
@@ -5,15 +5,12 @@ module Gitlab
...
@@ -5,15 +5,12 @@ module Gitlab
# This is IO-operations safe class, that does similar job to
# This is IO-operations safe class, that does similar job to
# Ruby's Pathname but without the risk of accessing filesystem.
# Ruby's Pathname but without the risk of accessing filesystem.
#
#
# TODO, better support for '../' and './'
#
class
StringPath
class
StringPath
attr_reader
:path
,
:universe
attr_reader
:path
,
:universe
def
initialize
(
path
,
universe
,
metadata
=
[])
def
initialize
(
path
,
universe
,
metadata
=
[])
@path
=
prepare
(
path
)
@path
=
sanitize
(
path
)
@universe
=
universe
.
map
{
|
entry
|
prepare
(
entry
)
}
@universe
=
universe
.
map
{
|
entry
|
sanitize
(
entry
)
}
@universe
<<
'./'
unless
@universe
.
include?
(
'./'
)
@metadata
=
metadata
@metadata
=
metadata
end
end
...
@@ -60,15 +57,16 @@ module Gitlab
...
@@ -60,15 +57,16 @@ module Gitlab
def
descendants
def
descendants
return
[]
unless
directory?
return
[]
unless
directory?
children
=
@universe
.
select
{
|
entry
|
entry
=~
/^
#{
@path
}
.+/
}
select
{
|
entry
|
entry
=~
/^
#{
@path
}
.+/
}
children
.
map
{
|
path
|
new
(
path
)
}
end
end
def
children
def
children
return
[]
unless
directory?
return
[]
unless
directory?
return
@children
if
@children
return
@children
if
@children
children
=
@universe
.
select
{
|
entry
|
entry
=~
%r{^
#{
@path
}
[^/]+/?$}
}
@children
=
children
.
map
{
|
path
|
new
(
path
)
}
@children
=
select
do
|
entry
|
self
.
class
.
child?
(
@path
,
entry
)
end
end
end
def
directories
def
directories
...
@@ -104,9 +102,26 @@ module Gitlab
...
@@ -104,9 +102,26 @@ module Gitlab
self
.
class
.
new
(
path
,
@universe
)
self
.
class
.
new
(
path
,
@universe
)
end
end
def
prepare
(
path
)
def
select
return
path
if
path
=~
%r{^(/|
\.
|
\.\.
)}
selected
=
@universe
.
select
{
|
entry
|
yield
entry
}
path
.
dup
.
prepend
(
'./'
)
selected
.
map
{
|
path
|
new
(
path
)
}
end
def
sanitize
(
path
)
self
.
class
.
sanitize
(
path
)
end
def
self
.
sanitize
(
path
)
# It looks like Pathname#new doesn't touch a file system,
# neither Pathname#cleanpath does, so it is, hopefully, filesystem safe
clean
=
Pathname
.
new
(
path
).
cleanpath
.
to_s
raise
ArgumentError
,
'Invalid path'
if
clean
.
start_with?
(
'../'
)
clean
+
(
path
.
end_with?
(
'/'
)
?
'/'
:
''
)
end
def
self
.
child?
(
path
,
entry
)
entry
=~
%r{^
#{
path
}
[^/
\s
]+/?$}
end
end
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
